Wikipedia has a great explanation of Safe Harbor. The short version is that there's a set of EU privacy laws that prevent companies in Europe from sending personably identifiable information to "third countries" which means any country not in the EU including the United States. However, US companies can participate through the Safe Harbor Privacy Policy if they follow the following 7 principles.

Notice - Individuals must be informed that their data is being collected and about how it will be used.

Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

Security - Reasonable efforts must be made to prevent loss of collected information.

Data Integrity - Data must be relevant and reliable for the purpose it was collected for.

Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

Enforcement - There must be effective means of enforcing these rules.

This is important because it allows US companies to have European customers. Well, that's over stretching a little. It means that if you are storing personal data from an EU citizen, you can do so on your servers in the US if you comply with the Safe Harbor.

This was great for a while until the US passed the Patriot Act where the US government gave itself permission to violate anyone's privacy regardless of where the data resided as long as they could justify it as trying to stop terrorism. This was met with wide spread criticism as it gave a lot of unilateral power with little to no oversight to the US gov agencies. Then more recently and partly in response to the Patriot Act, the European Court of Justice declared the Safe Harbor as "invalid". This signals a complete collapse of the Safe Harbor.

In short, this means that as a US company, you have to be sure that your EU customer's data doesn't leave the EU. This will have impact on your app's architecture as you'll need the ability to figure out where your customers reside and segment the data into the correct data center based on their home address.

There are obviously more concerns than that but that's the minimum bar that you should be looking at.

Then there's the question of who owns the data center and does that matter? Microsoft has even gone as far as to form a partnership with Deutche Telkom to give customers the option of storing their customers data in a German owned data center so that there's not even a US company involved in the storage of the data.

One of the huge open questions that nobody is able to answer right now is how do you prove that you're not storing customer data in the wrong data center and that it's not moving across lines?

So many questions and so few answers. Would love to see comments and conversations around this topic.